This topic describes the limits and billing of Log Audit Service.

Limits

  • Storage methods and regions
    Important Before you use Log Audit Service for centralized storage or regional storage, you must evaluate whether the region in which you want to store logs meets the security requirements of related laws and regulations.
    • Centralized storage
      Logs that are collected from multiple Alibaba Cloud accounts across different regions are stored in a central project of a central Alibaba Cloud account. A central project can reside in the following regions.
      Note When you change the region of the central project within a central Alibaba Cloud account, Log Service creates a central project in the new region. The original project is not deleted.
      • Chinese mainland: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)
      • Outside the Chinese mainland: Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)
    • Regional storage

      For Server Load Balancer (SLB), Application Load Balancer (ALB), Object Storage Service (OSS), and PolarDB-X 1.0, if the access logs are collected from multiple Alibaba Cloud accounts, Log Audit Service stores the collected logs in the projects that belong to the central Alibaba Cloud account and reside in the same regions as the cloud services. This also applies for the flow logs of Virtual Private Cloud (VPC). For example, if access logs are collected from an OSS bucket that resides in the China (Hangzhou) region, the access logs are stored in a project that also resides in the China (Hangzhou) region.

    • Synchronization to a central project

      For SLB, ALB, OSS, PolarDB-X 1.0, and VPC, if regional storage is used, you can synchronize logs from the Logstores of regional projects to the Logstores of a central project. This way, you can query, analyze, and visualize the logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.

      The synchronization process is based on the data transformation feature of Log Service.

  • Resources
    • A central Alibaba Cloud account has only one functioning central project. The name of a central project is in the following format: slsaudit-center-Alibaba Cloud account ID-Region specified for the central project. Example: slsaudit-center-117938634953****-cn-beijing. You cannot delete a central project in the Log Service console. If you want to delete a central project, you can use Alibaba Cloud CLI or call API operations.
    • For SLB, ALB, OSS, PolarDB-X 1.0, and VPC, logs can be stored in multiple regional projects. The name of a regional project is in the following format: slsaudit-region-Alibaba Cloud account ID-Source region for collection. Example: slsaudit-region-117938634953****-cn-beijing. You cannot delete a regional project in the Log Service console. If you want to delete a regional project, you can use Alibaba Cloud CLI or call API operations.
    • If you enable log collection for a cloud service, Log Audit Service creates a dedicated Logstore. You can manage a dedicated Logstore in the same way that you manage other Logstores. A dedicated Logstore has the following limits:
      • To prevent data tampering, Log Service allows only the specified service to write logs to the dedicated Logstore. You cannot modify or delete indexes in the Logstore.
      • You can modify the retention period of logs or delete the dedicated Logstore only on the Global Configurations page of Log Audit Service or by calling API operations.
      • For SLB, ALB, OSS, PolarDB-X 1.0, and VPC, if Synchronization to Central Project is enabled, data transformation jobs are generated in the regional projects.
        • The data transformation job that is generated for OSS logs is named Internal Job: SLS Audit Service Data Sync for OSS Access. The data transformation job that is generated for SLB logs is named Internal Job: SLS Audit Service Data Sync for SLB. The data transformation job that is generated for ALB logs is named Internal Job: SLS Audit Service Data Sync for ALB. The data transformation job that is generated for PolarDB-X 1.0 logs is named Internal Job: SLS Audit Service Data Sync for DRDS. The data transformation job that is generated for VPC logs is named Internal Job: SLS Audit Service Data Sync for VPC.
        • You can stop the data transformation jobs only on the Global Configurations page of Log Audit Service or by calling API operations.
        • If you turn on Synchronization to Central Project, the logs in the Logstores of the regional projects are synchronized to the dedicated Logstores of the central project. You can no longer manage the Logstores of the regional projects. However, you can perform operations such as queries on the Logstores of the central project.
  • Permissions
    If you want to use Log Audit Service to collect the audit logs of Kubernetes clusters, the events of K8s Event Center, and Ingress access logs, you must gain visibility into the following limits on permissions:
    • Log Audit Service allows you to collect Kubernetes logs only from a central Alibaba Cloud account. If multi-account collection is configured, you cannot collect Kubernetes logs from a different Alibaba Cloud account than the central Alibaba Cloud account.
    • Log Audit Service collects Kubernetes logs based on the data transformation feature. If you want to use Log Audit Service to collects Kubernetes logs, you must grant permissions to the central Alibaba Cloud account based on the following table.
      Item Central Alibaba Cloud account: not upgraded Central Alibaba Cloud account: upgraded
      Role of the current central Alibaba Cloud account sls-audit-service-monitor AliyunServiceRoleForSLSAudit
      Additional permissions The sls-audit-service-monitor role must have the permission AliyunLogAuditServiceMonitorAccess and the following custom permission AliyunLogAuditServiceK8sAccess:
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "log:*",
                  "Resource": [
                      "acs:log:*:*:project/k8s-log-*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }
      Only the AliyunServiceRoleForSLSAudit role is required. No additional permissions are required.
  • Data retention periods in days
    • In Log Audit Service, the audit logs, slow query logs, and error logs of ApsaraDB RDS instances are stored in the same Logstore, which is named rds_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.
    • In Log Audit Service, the audit logs, slow query logs, and error logs of PolarDB for MySQL clusters are stored in the same Logstore, which is named polardb_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.
    • In Log Audit Service, the traffic logs of the Internet firewall and VPC firewalls in Cloud Firewall are stored in the same Logstore, which is named cloudfirewall_log. If log collection is enabled for both types of traffic logs but the data retention periods are different, the larger value of the data retention periods is used.
    • In Log Audit Service, the access logs of Anti-DDoS Pro, Anti-DDoS Premium, and Anti-DDoS Origin are stored in the same Logstore, which is named ddos_log. If log collection is enabled for all types of access logs but the data retention periods are different, the largest value of the data retention periods is used.
    • In Log Audit Service, the audit logs of Kubernetes clusters and the events of K8s Event Center are stored in the same Logstore, which is named k8s_log. If log collection is enabled for the audit logs and events but the data retention periods are different, the larger value of the data retention periods is used.
    Note The preceding list describes the types of logs whose data retention periods are affected by each other. If you enable both log collection and hot and cold-tiered storage for these types of logs, the hot retention period of the logs is the largest value of the hot retention periods for these types of logs. If you enable log collection for all these types of logs but enable hot and cold-tiered storage only for some types of logs, hot and cold-tiered storage is automatically disabled for all the logs.

    For example, if you enable log collection and hot and cold-tiered storage for the audit logs and error logs of ApsaraDB RDS instances, the larger value of the hot retention periods for the audit logs and error logs is used. If you enable log collection for the audit logs and error logs of ApsaraDB RDS instances but enable hot and cold-tiered storage only for the audit logs, hot and cold-tiered storage is disabled for the rds_log Logstore in which the logs are stored.

  • Hot and cold-tiered storage
    The dedicated Logstores of Log Audit Service support the hot and cold-tiered storage feature. Cold storage costs lower than hot storage but reduces query and analysis performance. However, the performance of other operations, such as alerting, visualization, transformation, and shipping, is not reduced. For more information, see Enable hot and cold-tiered storage for a Logstore
    Note Log Audit Service allows you to enable the hot and cold-tiered storage feature in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), and China (Shenzhen).

    You can enable the hot and cold-tiered storage feature on the Global Configurations page of Log Audit Service. The hot data retention period must be greater than or equal to 30 days but cannot exceed the current data retention period. For example, if the data retention period of a central project is 180 days and the hot data retention period is 30 days, hot data is moved to the cold storage after 30 days.

Billing

  • Log Service
    You must activate Log Service and enable Log Audit Service for the central Alibaba Cloud account that is used to collect logs from other Alibaba Cloud accounts. You do not need to activate Log Service for the other Alibaba Cloud accounts. However, if the cloud services within the other Alibaba Cloud accounts rely on Log Service, you must activate Log Service for these accounts. No fees for Log Service are generated in these accounts. When you use Log Audit Service, you are charged for the data storage, read and write traffic, and data transformation based on the pay-as-you-go billing method. For more information, see Billable items
    Important
    • For SLB, ALB, OSS, PolarDB-X 1.0, and Container Service for Kubernetes (ACK), if Synchronization to Central Project is enabled, the collected logs are synchronized based on the data transformation feature. You are charged for data transformation and cross-network traffic based on the pay-as-you-go billing method. For more information, see Billable items
    • You can use Log Audit Service or a common collection method to collect logs. You are charged when you use any of the two methods. If you use both methods to collect logs, Log Service stores two copies of data. You can use the two copies of data in different scenarios.
      • Log Audit Service: This application supports automated and centralized log collection from cloud services across multiple Alibaba Cloud accounts in real time. The collected logs are used for compliance and auditing.
      • Common method: Logs are collected by region and separately managed. The collected logs are used for log analysis. For more information, see Alibaba Cloud service logs

    You can use free resource quotas or purchase resource plans to offset your fees.

  • Cloud services
    After you enable Log Audit Service in the Log Service console and enable log collection for cloud services, you may be charged additional fees. The fees are included in the bills for the cloud services. The following table describes the cloud services that may generate additional fees.
    Cloud service Additional fee
    Web Application Firewall (WAF) You are charged for the Log Service for WAF feature that is purchased in the WAF console. For more information about the feature fees, see Billing.
    Security Center (SAS) You are charged for the log analysis feature that is enabled in the Security Center console. For more information about the feature fees, see Billing.
    Cloud Firewall You are charged for the log analysis feature that is enabled in the Cloud Firewall console. For more information about the feature fees, see Billing.
    ApsaraDB RDS After you enable log collection for ApsaraDB RDS, the SQL Explorer or SQL Audit feature is automatically enabled on the ApsaraDB RDS instances that meet the requirements. ApsaraDB RDS for MySQL instances that do not run the Basic Edition and ApsaraDB RDS for PostgreSQL instances that run the High-availability Edition are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items, billing methods, and pricing.
    Note
    • If you have enabled SQL Explorer Trial Edition for your ApsaraDB RDS instance, Log Audit Service automatically disables SQL Explorer Trial Edition and enables the SQL Explorer feature after log collection is enabled.
    • By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. If you want to change the storage duration, you must perform the operation in the ApsaraDB RDS console. For more information, see Modify the retention period of SQL audit logs. The storage duration is independent of the data retention period in Log Audit Service that is specified for the audit logs of your ApsaraDB RDS instance. The storage duration and data retention period do not affect each other.

      If the storage duration that you specify in the ApsaraDB RDS console is less than 30 days, the logs cannot be delivered to Log Service. Log Audit Service automatically changes the duration to 30 days.

    • If you have stopped collecting the audit logs of your ApsaraDB RDS instance and want to disable the SQL Explorer feature, you must disable the feature in the ApsaraDB RDS console. For more information, see Disable the SQL Explorer feature.
    PolarDB After you enable log collection for PolarDB, the SQL Explorer or SQL Audit feature is automatically enabled on the PolarDB clusters that meet the requirements. Only PolarDB for MySQL clusters are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items.
    Note
    • If you have enabled the trail edition of the SQL Explorer feature for your PolarDB for MySQL cluster, Log Audit Service automatically disables the trial edition and enables the official edition of the SQL Explorer feature after log collection is enabled.
    • By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. If you want to change the storage duration, you must perform the operation in the ApsaraDB PolarDB console. For more information, see Change the retention period of SQL logs. The storage duration is independent of the data retention period in Log Audit Service that is specified for the audit logs of your PolarDB for MySQL cluster. The storage duration and data retention period do not affect each other.

      If the storage duration that you specify in the ApsaraDB PolarDB console is less than 30 days, the logs cannot be delivered to Log Service. Log Audit Service automatically changes the duration to 30 days.

    • If you have stopped collecting the audit logs of your PolarDB for MySQL cluster and want to disable the SQL Explorer feature, you must disable the feature in the ApsaraDB PolarDB console. For more information, see Disable the SQL Explorer feature.
    Anti-DDoS You are charged for the log analysis feature that is purchased in the Anti-DDoS Pro console. For more information about the feature fees, see Overview.
    VPC When you use flow logs, you are charged Log Service usage fees and log generation fees. For more information, see Billing of flow logs
    Note
    • You can enable the collection of VPC flow logs by using Log Audit Service or the VPC console. The operations that you perform in Log Audit Service are independent of the operations that you perform in the VPC console. You can enable or disable the collection of VPC flow logs based on your business requirements. These methods are charged separately based on their individual fees.
    • Before you delete a project that is used to store the audit logs of a VPC, you must disable the collection of flow logs for the VPC. Otherwise, the collection of flow logs remains enabled for the VPC after the project is deleted.